libbinder: RPC error on unexpected session ID size

The session ID is created by the server, and passed to the client. This prevents making a OOM-large allocation if a malicious client claims to pass a large session ID. Fixes: 201599425 Test: binderRpcTest Change-Id: I24c66b70fbb5e194c2b603214e2f962b31ff27f9
author: Steven Moreland <smoreland@google.com> 2021-09-30 15:40:27 -0700
committer: Steven Moreland <smoreland@google.com> 2021-09-30 15:50:43 -0700
commit: c503204736ff74758ed94f42dea1a90699923d10 (patch)
tree: 8b38420b4b6c1cfa5963caa2239588e84f63e1c3
parent: 692ae86f088f6c0be9140625b008d838440e035b (diff)
download: native-c503204736ff74758ed94f42dea1a90699923d10.tar.gz
1 files changed, 17 insertions, 9 deletions
diff --git a/libs/binder/RpcServer.cpp b/libs/binder/RpcServer.cpp
index ba2920e3ac..44b588be00 100644
--- a/libs/binder/RpcServer.cpp
+++ b/libs/binder/RpcServer.cpp
@@ -16,6 +16,7 @@
 
 #define LOG_TAG "RpcServer"
 
+#include <inttypes.h>
 #include <poll.h>
 #include <sys/socket.h>
 #include <sys/un.h>
@@ -38,6 +39,8 @@
 
 namespace android {
 
+constexpr size_t kSessionIdBytes = 32;
+
 using base::ScopeGuard;
 using base::unique_fd;
 
@@ -289,13 +292,19 @@ void RpcServer::establishConnection(sp<RpcServer>&& server, base::unique_fd clie
     std::vector<uint8_t> sessionId;
     if (status == OK) {
         if (header.sessionIdSize > 0) {
-            sessionId.resize(header.sessionIdSize);
-            status = client->interruptableReadFully(server->mShutdownTrigger.get(),
-                                                    sessionId.data(), sessionId.size(), {});
-            if (status != OK) {
-                ALOGE("Failed to read session ID for client connecting to RPC server: %s",
-                      statusToString(status).c_str());
-                // still need to cleanup before we can return
+            if (header.sessionIdSize == kSessionIdBytes) {
+                sessionId.resize(header.sessionIdSize);
+                status = client->interruptableReadFully(server->mShutdownTrigger.get(),
+                                                        sessionId.data(), sessionId.size(), {});
+                if (status != OK) {
+                    ALOGE("Failed to read session ID for client connecting to RPC server: %s",
+                          statusToString(status).c_str());
+                    // still need to cleanup before we can return
+                }
+            } else {
+                ALOGE("Malformed session ID. Expecting session ID of size %zu but got %" PRIu16,
+                      kSessionIdBytes, header.sessionIdSize);
+                status = BAD_VALUE;
             }
         }
     }
@@ -353,8 +362,7 @@ void RpcServer::establishConnection(sp<RpcServer>&& server, base::unique_fd clie
             // Uniquely identify session at the application layer. Even if a
             // client/server use the same certificates, if they create multiple
             // sessions, we still want to distinguish between them.
-            constexpr size_t kSessionIdSize = 32;
-            sessionId.resize(kSessionIdSize);
+            sessionId.resize(kSessionIdBytes);
             size_t tries = 0;
             do {
                 // don't block if there is some entropy issue
author	Steven Moreland <smoreland@google.com>	2021-09-30 15:40:27 -0700
committer	Steven Moreland <smoreland@google.com>	2021-09-30 15:50:43 -0700
commit	c503204736ff74758ed94f42dea1a90699923d10 (patch)
tree	8b38420b4b6c1cfa5963caa2239588e84f63e1c3
parent	692ae86f088f6c0be9140625b008d838440e035b (diff)
download	native-c503204736ff74758ed94f42dea1a90699923d10.tar.gz